Security Policy

Introduction

Kāpō Māori Aotearoa New Zealand Incorporated ("we", "our", or "us") is committed to protecting the security of our systems, services, and the data entrusted to us by our members, whānau, and partners. This Security Policy outlines our approach to information security and how we safeguard the integrity, confidentiality, and availability of information.

Our Security Commitment

We are committed to:

• Protecting personal and sensitive information from unauthorised access, disclosure, or misuse
• Maintaining the integrity and availability of our digital services
• Implementing industry-standard security practices
• Continuously improving our security posture
• Responding promptly and transparently to security incidents
• Respecting the principles of Māori data sovereignty (rangatiratanga o ngā raraunga)

Security Measures

Security Incident Response

We maintain an incident response process to handle security events promptly and effectively. In the event of a security incident that may affect your personal information, we will:

• Investigate and contain the incident as quickly as possible
• Assess the scope and impact of the incident
• Notify affected individuals where there is a risk of serious harm
• Report to the Privacy Commissioner as required by law
• Take steps to prevent recurrence
• Document and learn from the incident to improve our security

Responsible Vulnerability Disclosure

We value the security research community and welcome reports of potential security vulnerabilities in our systems. If you believe you have discovered a security vulnerability, please report it responsibly:

• Email your findings to support@redux.nz
• Provide sufficient detail to reproduce the vulnerability
• Allow us reasonable time to investigate and address the issue before any public disclosure
• Do not access or modify data belonging to others
• Act in good faith to avoid disruption to our services

We will acknowledge receipt of your report within 48 hours and keep you informed of our progress. We appreciate responsible disclosure and will not take legal action against researchers who act in good faith and follow these guidelines.

Third-Party Service Providers

We carefully select and monitor third-party service providers who may have access to personal information. Our agreements with these providers include:

• Requirements for appropriate security measures
• Restrictions on use and disclosure of information
• Obligations to notify us of security incidents
• Regular review of their security practices

Your Security Responsibilities

Security is a shared responsibility. When using our services, we encourage you to:

• Use strong, unique passwords for your accounts
• Keep your login credentials confidential
• Report any suspicious activity or potential security issues to us
• Keep your devices and software updated
• Be cautious of phishing attempts and verify communications claiming to be from us
• Log out of accounts when using shared devices

Compliance and Standards

Our security practices are guided by:

• Privacy Act 2020 (New Zealand)
• New Zealand Information Security Manual (NZISM) guidance
• Industry best practices and security frameworks
• Our contractual obligations to funders and partners

Policy Review

We regularly review and update this Security Policy to ensure it remains current and effective. Significant changes will be communicated through our website or direct communication where appropriate.

Contact Us

For security-related enquiries or to report a security concern, please contact:

For general privacy enquiries, please see our Privacy Policy.